What I learned from my first CTF

My older son is a hacker. He’s going off to school to learn to be a better hacker. And the way hackers compete for fun, apparently, is a game called Capture the Flag. Two weeks ago, my hacker started a new CTF. It looked so fun, I decided to give it a shot as well.

The game I joined was picoCTF. It works like this: you create an account (usually with a pseudonym) and solve challenges for points. Each challenge results in a “flag,” which you can enter into the website. The flags are often strings of numbers and characters, and they may be found in any number of ways and require a multitude of tools and skills. Here is the one that got me hooked:

You’ve found a mystery machine with a sticky note attached to it! Oh, there’s also this picture of the machine you found.

While I’ve talked about Enigma to my classes, I’d never actually used it before. And a lot of the challenges were like that for me. I knew about SQL injections, where a poorly coded website can be made to execute foreign code through an input box like login name. Now, I have actually done it.

Most of the questions took me between ten minutes and 10 hours of research to solve. One particularly frustrating problem I finally managed dealt with decrypting an RSA-CRT code. I had to write a program in Python (in which I am not proficient) to solve it, using math I have never used before. While I’d heard of RSA and knew generally what it was used for, I had never bothered to look into the details. Now I know a lot more about both RSA and Python, including the difference between using exponents in the form x**y, which may take hours to computer, and using the pow() function, which may take seconds.

And this is the real value of the CTF to me. I have learned a lot of things that are good to know, such as the basics of assembly language or steganography. And I’ve learned to use some really neat tools, such as hex editors and debuggers. And I really got familiar with command-line tools such as nc and pico. And, aside from some help from my son, I learned all this on my own at the prompting of the contest. All for points which can’t be exchanged for anything but pride.

I highly recommend giving picoCTF a try. Even if you only solve a couple challenges, you are sure to learn something. I will definitely be taking some of these ideas into my classroom!